Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis log file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijackthis log file

Unread postby Paulgray » March 6th, 2006, 7:25 am

please can you look at my hijackthis log file

Cheers paulgray

Logfile of HijackThis v1.99.1
Scan saved at 11:23:14, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iNet Protector\IProtectorService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\postcode\Sage\AFDPcSage.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iNet Protector\iprotect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\ActEmail.exe
C:\PROGRA~1\ACT\actwp.wpi
C:\Program Files\BBC News alerts\skinkers.exe
C:\Program Files\Sage\Accounts\Sage.exe
C:\PROGRA~1\Sage\Accounts\SGLAUN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Zetafax\ZETAFAX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_L19111.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\DOCUME~1\PaulG\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AFD Postcode for Sage] c:\postcode\Sage\AFDPcSage.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [inetprot] "C:\Program Files\iNet Protector\iprotect.exe" tray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BBC News alerts] C:\Program Files\BBC News alerts\skinkers.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41C4BDE-C51B-42CD-9359-D7468126A653}: NameServer = 192.168.0.3,217.13.128.17
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\Program Files\ACT\actlink.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Internet Protector System Service (InternetProtectorService) - Unknown owner - C:\Program Files\iNet Protector\IProtectorService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Paulgray
Active Member
 
Posts: 4
Joined: March 6th, 2006, 6:54 am
Advertisement
Register to Remove

Unread postby SpotCheckBilly » March 6th, 2006, 9:20 pm

Hello paulgray,

Welcome to the MWR forums.

These two lines indicate that you have W32sober-x and W32sober-z:

O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe


Please download Stinger
  • Save it to your desktop
  • Double-click stinger.exe.
  • Choose your entire hard drive to scan.
  • Clickv Scan Now
  • Stinger will fix anything that it finds
  • Click File=>Save report to file
  • Stinger will save report to desktop
  • Post the log file when requested.
--->Important Step<---Before we get started, lHijackThis needs to be moved to its own, permanent folder.

HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.

Create a folder on the root drive, (Usually C:\), called C:\HJT.
1. Go to "My Computer", (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop.
2. Double click on "C:"
3. Right click and select New->Folder. Name it HJT. Move HijackThis to this new folder.

Also move the "Backups" folder, for HiJackThis, if present.

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{F41C4BDE-C51B-42CD-9359-D7468126A653}: NameServer = 192.168.0.3,217.13.128.17
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

With all windows closed except HiJackThis, click "Fix checked".

From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:

To show hidden files :

1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"=>Yes[/color] to confirm.
4. Click Apply=>OK.
5. Close Control Panel.

folders...

C:\WINDOWS\WinSecurity

Note that some of these file(s) may not be present.

In your next reply, please include the following:
1. The report created by Stinger.
2. A fresh HijackThis log. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

new stinger and hijack logs

Unread postby Paulgray » March 7th, 2006, 6:10 am

Hi

Thanks very much. As requested I have attached the too logs

regards

Paul Gray

Stinger log


McAfee AVERT Stinger Version 2.5.9 built on Feb 2 2006

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.



Scan initiated on Tue Mar 07 09:19:52 2006

C:\Program Files\Symantec\LiveUpdate\LUALL.EXE

Found the W32/Sober@MM!M681 virus !!!

C:\Program Files\Symantec\LiveUpdate\LUALL.EXE has been deleted.

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011699.exe

Found the W32/Sober@MM!M681 virus !!!

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011699.exe has been deleted.

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011700.exe

Found the W32/Sober@MM!M681 virus !!!

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011700.exe has been deleted.

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011701.exe

Found the W32/Sober@MM!M681 virus !!!

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP115\A0011701.exe has been deleted.

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP181\A0014754.EXE

Found the W32/Sober@MM!M681 virus !!!

C:\System Volume Information\_restore{14444B9B-2565-4A30-A8DF-6056727CA05B}\RP181\A0014754.EXE has been deleted.

Number of clean files: 183957

Number of infected files: 5

Number of files deleted: 5

Hijack log

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iNet Protector\IProtectorService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\postcode\Sage\AFDPcSage.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iNet Protector\iprotect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\ActEmail.exe
C:\PROGRA~1\ACT\actwp.wpi
C:\Program Files\Zetafax\ZETAFAX.EXE
C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe
C:\Program Files\BBC News alerts\skinkers.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUMENTS AND SETTINGS\PAULG\DESKTOP\stng260.exe
C:\Program Files\Sage\Accounts\Sage.exe
C:\PROGRA~1\Sage\Accounts\SGLAUN~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AFD Postcode for Sage] c:\postcode\Sage\AFDPcSage.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [inetprot] "C:\Program Files\iNet Protector\iprotect.exe" tray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BBC News alerts] C:\Program Files\BBC News alerts\skinkers.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41C4BDE-C51B-42CD-9359-D7468126A653}: NameServer = 192.168.0.3,217.13.128.17
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\Program Files\ACT\actlink.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Internet Protector System Service (InternetProtectorService) - Unknown owner - C:\Program Files\iNet Protector\IProtectorService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Paulgray
Active Member
 
Posts: 4
Joined: March 6th, 2006, 6:54 am

Unread postby SpotCheckBilly » March 7th, 2006, 7:27 pm

Hello paul,

Since those two O4 entries are still appearing in your HJT log, it would appear that Stinger did not get rid of the whole infection. Don't get frustrated though, it often takes more than one go around to get rid of an infection.

I'm going to consult with some others on different methods of removing this infection, should the following not work. Meanwhile, let's do the this:

Disable system restore. Reboot to make the changes take effect.

Next, please download and run the Symantec removal tool.

Next, Re-enable system restore. System restore should automatically create a new system restore point. If it does not, please create one manually. Once again, reboot for the changes to take effect.

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{F41C4BDE-C51B-42CD-9359-D7468126A653}: NameServer = 192.168.0.3,217.13.128.17
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

With all windows closed except HiJackThis, click "Fix checked".

From "Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:

To show hidden files :

1. Click Start=>Control Panel=>Folder Options=>View tab.
2. Select "Show hidden files and folders"
3. Clear the check mark in "Hide protected operating system files"=>Yes[/color] to confirm.
4. Click Apply=>OK.
5. Close Control Panel.

folders...

C:\WINDOWS\WinSecurity

Note that some of these file(s) may not be present.

Post back a newHJT log and we will see how we did. NOTE; Please make sure that the entire header is included with the log file . To ensure you get the entire log:

When Notepad opens with the contents of the log:
1. Hit Ctrl+a to select the entire document.
2. Hit Ctrl+c to copy it.
3. Hit Ctrl+v to paste contents into the reply box. .:wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Unread postby ChrisRLG » March 8th, 2006, 9:23 am

We have noticed a few things with your access to our forum.

1.
Several people are having logs done from the same IP number - YOURS.

2.
They have all registered in the last few days, all with different machines.

Our rules state that a person is not allowed to have more than one username registered at our forum.

I have moved all your topics to this room :-
http://www.malwareremoval.com/forum/viewforum.php?f=78

It is hidden from normal public view, and I would like you to please explain what is going on here.

What it looks like is that you are one person, and are using our services to provide a service toother people, possibly for a fee.

Can you pease explain what is going on.

ChrisRLG
Malware Removal
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Your access malware removal forum

Unread postby Paulgray » March 8th, 2006, 9:31 am

Hi Chris

There are six of us that work from home supporting an ecommerce site. A couple of us had problems with our pc and we decided following your great support on the first that we should check them all.

Many apologises if this has caused a problem, we were not aware that we could not do this.

I can assure you that we are not selling your services. We are just very greatful to have found a knowledge base that can assist us with getting our pc clean and not potentially infecting our customers or suppliers.

Many thanks

Paul
Paulgray
Active Member
 
Posts: 4
Joined: March 6th, 2006, 6:54 am

Unread postby ChrisRLG » March 8th, 2006, 9:59 am

Thank you for that info.

We do within the global anti-malware forums find computer workshops that do this, using the free services we (and other forums) provide and charge thier customers for 'thier' service.

We think that is unethical, and tell them so. We would prefer that 'computer tech' to join and learn themselves instead.

I will leave you all in this room for a day or two before moving them all back to normal rooms.

All your helpers also have access to this room.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » March 8th, 2006, 10:05 am

Do you have a link to your :-

There are six of us that work from home supporting an ecommerce site.


Please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Link

Unread postby Paulgray » March 8th, 2006, 10:08 am

Hi Chris



Thanks

Paul
Last edited by Paulgray on March 8th, 2006, 11:29 am, edited 1 time in total.
Paulgray
Active Member
 
Posts: 4
Joined: March 6th, 2006, 6:54 am

Unread postby ChrisRLG » March 8th, 2006, 10:11 am

Thanks - I did notice that a couple of your email accounts were with that site :)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware